GDPR One Year In: What We’ve Learned

A little more than a year ago, the European Union’s General Data Protection Regulation (GDPR) went into effect. As most of you know, GDPR lays out a set of rules designed to protect personal data and privacy for citizens of the European Union (EU) and the European Economic Area (EEA). Under the rules, any organization operating within the EU must adhere to strict conditions when collecting personal data, and must also protect that data from theft, exploitation, and abuse. Organizations must also track all data breaches and report these to authorities “within 72 hours of becoming aware of the breach, where feasible”. To enforce the measures, GDPR calls for stiff penalties against organizations that fail to adhere to the regulations (read a longer overview of GDPR here).

So how effective have the regulations been since GDPR became law? Well, the results have been decidedly mixed. All indications show that the policy has largely been a failure at enforcement, while being somewhat more successful when it comes to data breach notification. I thought it might be worthwhile to take a closer look at what’s been working and what hasn’t with GDPR, and what can be learned when it comes to data protection stateside.

Data breach reporting

According to a recent survey by the law firm DLA Piper, 60,000 data breaches were self-reported by businesses during the first eight months of GDPR. This number more than doubles breach self-reporting from the year prior, before the new regulations took effect. This is good news for consumers whose personal information may have been compromised in a security breach, as it gives them essential information that they can act upon to minimize the damage. These reports also provide valuable information for cybersecurity pros trying to limit future breaches and gives researchers and regulators a better understanding of current and potential future threats.

The success of the self-reporting component of GDPR could serve as a wake-up call for the U.S., where a myriad of state laws provide an inconsistent framework of breach-notification standards. Critics of federal legislation have feared that a federal law might weaken breach reporting in comparison with the strictest state statutes, but GDPR shows that a unified framework is possible, and that it might be more successful in the long run.

GDPR enforcement lacking teeth

Through June 2019, GDPR fines have totaled 286 million Euros. However, 50 million of that was imposed against one organization: Google, on January 21st of 2019. And while there have been more than 200,000 investigations leading to 64,000 confirmed violations, the stiff fines meant to ensure compliance have largely not materialized. Given the fact that EU data regulators are authorized to levy fines of up to 4% of a company’s total annual revenue, the penalties issued against violators have been, for the most part, miniscule. The overwhelming majority of companies simply aren’t paying any fine at all for leaving customer data unprotected, and the few that have had to pay are seeing fine amounts that are negligible compared to their overall earnings.

There are signs that regulators are aware of the issues and things may be changing. It was recently announced that British Airways is facing a record GDPR fine of over 205 million Euros over a data security breach. We are seeing many EU countries continue to develop strategies under GDPR for calculating fines in a more consistent and equitable manner. And a case can be made that at this very early stage, just over a year in, regulators have rightly been focused on investigating the more high-profile cases, such as Google and Facebook. This leaves fewer resources available for enforcement actions against the smaller violators. Perhaps, as regulatory agencies grow and enforcement processes mature, there will be a significant increase in both the number of successful cases and the total amount of money paid by each violator. Both must happen for GDPR to serve as an effective deterrent.

What it all means for the U.S.

While there is currently no equivalent to GDPR at the federal level, there are some indications that this might be changing in the not-so-distant future. Some of the major tech players are calling for increased federal oversight regarding privacy protections, including Apple and Microsoft, both of which have pledged to abide by the data protection and breach reporting standards spelled out in GDPR. In addition, some states, like California, have enacted strict privacy laws that seek to emulate EU efforts (read more about the California Consumer Protection Act here). Despite this and bipartisan support at many government levels, there hasn’t yet been agreement on how best to implement a comprehensive national policy on data protection in the U.S.

No matter how the U.S. chooses to protect consumers from data security breaches in the future, there is a lot we can learn from both the successes and failures of GDPR thus far. And policy makers here would be wise to continue to monitor developments in Europe, then use that knowledge to enact common sense data protection laws that most benefit businesses and the public they serve.